Swipe and PIN

Poncke

Hello, why is it necessary to swipe and pin via de the mobile app to approve an online payment ?

The swipe is completely redundant if you ask for the pin. Can you please remove the swipe option when you are asking for the pin to approve an online payment.

Also, can you remove the swipe for approving a bank transaction within the app. You have to put your pin and then swipe. It makes no sense whatsoever to add a swipe when a pin is requested. I am already logged into the app, then have enter my pin again for the transaction and then swipe.

You really have a knack for making stuff cumbersome rather than easier. And you don't listen to feedback either, as this has been asked many times.

I fail to see the added security and value add of a swipe in above two examples.

Bank of Ireland: Tara

https://www.boards.ie/discussion/2058215785/swipe-and-pin

Hi Poncke,

Thanks for your post.

With the introduction of PSD2 legislation we are required to enable Two Factor Authentication for online payments - this includes transfers made through the app or online and debit/credit card payments. Two Factor steps include 1. Something the User Possesses for example a smart device (smartphone or tablet) or a Physical Security Key AND 2. Something only the User knows – for example your PIN.

As this is a mandatory requirement we are unable to change this to one step.

Thanks

Tara

Poncke

Yes, that makes no sense. If I log into my app on my phone then I have completed condition number 1. So you don't have to ask me to swipe to complete condition 1 again. So why does BOI ask me to complete condition 1 twice?

Bank of Ireland: Tara

https://www.boards.ie/discussion/comment/118103626#Comment_118103626

Thanks for getting back to us. The European Commission has requested that all banks in the EU introduce extra security checks whenever customers are logging into their account online and when they are moving money out of their accounts. Going forward, when you do either of those things we’ll be asking you to confirm it’s actually you the account holder. For more information on PSD2 please see www.bankofireland.com/psd2.

Thanks

Tara

Poncke

https://www.boards.ie/discussion/comment/118105444#Comment_118105444

How is me swiping the app proving that I am the account holder?? If I have logged into the app, I have then proven that I am the account holder. Asking me to swipe ads nothing, I think you are misunderstanding what I am referring to.

When I have logged on to my app on my phone using my PIN, I have completed condition 1, when I then enter the PIN to confirm the transaction, I have completed step 2. So why are you asking me to swipe to complete the transaction when I have already completed step 1 and 2. BOI has added a 3rd requirement by adding the swipe. So why does BOI require 3 steps, when the EU only asks for 2 steps.

Bank of Ireland: Tara

https://www.boards.ie/discussion/comment/118137280#Comment_118137280

Thanks again for getting back to us Poncke. Sorry if we haven't explained this clearly, Strong Customer Authentication uses Two Factor Authentication -

Step 1 Something only the user possesses – for example a smart device (smartphone or tablet) or a Physical Security Key* (PSK)

Step 2 Something only the user knows - for example your 365 PIN.

These two steps are required every time you either log in or move funds from your account (by bank transfer or using a card). For example - when you log on you must complete these two steps and anytime you move funds from your account you must complete these two steps.

Thanks

Tara

Poncke

Step 1, when I logon to my app on my SMARTPHONE, does that not fulfil option 1 ??

BOI is asking me to complete 3 steps.

1. logon to my app on my SMARTPHONE using my PIN
2. enter the PIN to complete the transaction
3. swipe on the app to complete

Do you not see this as 3 steps and step 1 something I possess is completed TWICE in step 1 and 3.

Bank of Ireland: Tara

https://www.boards.ie/discussion/comment/118140234#Comment_118140234

To meet regulatory requirements two factor authentication needs to be in place when customers are logging on to their account and when moving funds from their account. Actions completed at log in are to authenticate the customer logging in and cannot be used for further actions such as transferring funds.

Thanks

Tara

Poncke

OK, I give up, it makes no sense to have a swipe when I am on the mobile app. It makes sense to swipe on the phone when I am purchasing on a computer, but it makes no sense to swipe on the app when I am on my phone doing transactions. It has no additional security value at all.

It is just an annoyance, but BOI has proven over the past decade not to listen to their customers.

Bank of Ireland: Tara

We're sorry you feel this way and we'll ensure your feedback is forwarded to the relevant team.

Thanks

Tara

HalfAndHalf

Hi Tara, I’m with Poncke on this.

Whats being said is that the swipe has no value as the PIN is also required to authenticate the purchase.

What BOI are doing is 3 things.

1. be in possession of the app on a personal device (possess)
2. swipe
3. enter 3 digits of the personal PIN (know)

Removing the swipe still keeps the process in line with 2FA requirements.

Look at it this way, absolutely anyone can swipe the screen, but only someone who knows the PIN can enter the 3 digits, be it’s very definition the ‘swipe’ function is pointless from a security perspective.

Thanks.

Bank of Ireland: Tara

https://www.boards.ie/discussion/comment/118140573#Comment_118140573

Hi HalfAndHalf,

Please be assured we appreciate your feedback and we'll ensure to pass this on.

Thanks

Tara

I haven't used boards in a while, but I will hop on the bandwagon here. The amount of authentication is simply nonsensical.

I don't know if our feedback goes straight into the recycle bin or not, but I really do hope it goes to someone who has a say on this stuff. It's become extremely difficult especially for older people I know who haven't a notion what they're doing. I'm 33 and fairly used to tech/phones in day to day life and I despise it too. Way too over the top.

If I log into BOI 365 on my desktop i have to enter my 8 digit number and then 3 of my 6 digit pin. How is that not enough to verify that I am the account holder? Why do i need to duplicate the efforts on my easily-stolen/misplaced phone? It's so frustrating.

I think the swipe is just one last "are you sure?" rather than an actual security or 2FA function?

Poncke

https://www.boards.ie/discussion/comment/118140731#Comment_118140731

It's used as a security function, because when I order online I need to swipe on my mobile app (without logging in), so in that case it is 2FA.

However when working in the app on my phone, it has no added value and it is not to confirm if I am sure. If I just entered a PIN, then I am pretty sure I want the transaction to happen.

Tow

The real joke is the amount of money BOI have paid upgrading their IT for this nonsense.

It does not even work correctly...

Two examples in the last few days:

Wife has paper less credit card statements for years. Random paper statement arrived a few days ago.

I ordered a up-to-date current account statement yesterday. Got a text message today saying "

You ordered a duplicate statement from 365 online for account *****xxx. This will be issued to you shortly. We are happy to say there is no charge for this. Thanks for banking with Bank of Ireland."

Dam right there should be no change, it was NOT a duplicate statement. With over 1Bn spent upgrading, BOI should also be able to generate the statements in real time. Other banks can!